If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Threaded View

Packet Crafting via HPing v2

The author of this program is Salvatore Sanfilippo. He is a hacker from
Agrigente, Italy. So all kudos go to him for crafting such an excellent tool. He is presently working on v3, and hopefully will be releasing it soon. There are several tutorials on the web regarding this tool. A couple are by the author himself. However I found them to be confusing, and often difficult to follow. This is no fault of the author seen as his mother tongue is not english.

The reason I chose to learn this tool is very simple. I was curious as
to how the people who were attempting to gain access to our networks
were going about it. One of the ways of is by packet crafting. Crafting packets will allow you to probe firewall rulesets and find entry points into the targeted system or network.

The following presentation will show you how to use this tool. It will
not however teach you how to hack or to help secure your network. You
can do both with HPing. To do both successfully you will need a lot
more knowledge in regards to TCP/IP, routers, access control lists,
OSI chart, and other areas.

What I hope to accomplish by this brief is to show you just how easy
it is to craft packets, and perhaps give you a glimpse into the world
of the black-hat hacker. Not to mention hopefully stimulate your
curiousity, and encourage you to further explore the murky world of
the hacker. The one constant with hackers of all stripes, whether they
be black/white/grey hat is that they have a burning curiosity about
computers.

One last note on HPing before we start to look at it. HPing will run
on any Linux distro, as well as Net/Free/OpenBSD systems, and lastly
it will run on Solaris as well. I highly advise you to run tcpdump
at the same time. This will allow you to monitor your crafted packets
as well as look at your return packets as well.
I have included tcpdump snippets to highlight what the outgoing and
incoming packets look like on the wire. I believe this to be an
important part as it allows you to visualize the packets.

The two packets you see below are just one ip addy sending a Syn packet to another ip addy. To do this using Hping is a very simple task. Just type in "exactly" the below noted command syntax, and voila a syn packet is sent!
The syn packet is the first step of the TCP/IP hand shake. To open communications between two computers the very first step is to send a syn packet to the computer you wish to communicate with. This would
be followed by the syn/ack, in turn followed by the ack. At this point you are ready for the setup of communications and then the exchange of data.
Be aware that when you do not specify a destination port on the targeted computer it will default to 0. Also if you do not specify a source port it will use a random ephemeral port and go up numerically from there. More on how to specify both src/dst ports later. On with
the basics for now.

The below noted packet is a reset packet. The reset packet is used to reset a connection. As you can see the command syntax is very similar. The only change is in the actual switch itself. Instead of -S it is -R.

The below noted packet is an icmp echo request ie: ping. This packet is useful to determine whether or not a specific host is up or not. The command syntax is a little different for this packet. We will specify after hping that we want a icmp packet by putting in the numerical
value 1 followed by the ip addy of the host we are pinging. There are a great many uses for icmp however only this one will be covered for now.

The packet below is simply a udp packet. To send one is rather easy as well. We will have to tell hping that we want a udp packet by putting in the numerical value 2. The default protocol for hping is tcp. This is why of course we need to tell hping what protocol we wish to send
by changing the value.

The below noted packet is a syn packet directed at port 21 aka ftp. To send a syn packet at a specific port requires a few more switches. This is where the usage of hping begins to shine. As noted below we are sending a syn (-S) packet to 24.114.xxx.xxx specifically on their ftp port by putting in the (-p) switch. To specify the destination port you put in the -p. To specify the source port on your machine you want the packet to go out on you would use the -s switch followed by a port number just as the destination port example below.

The below noted is a push packet directed at a specific port. In this case http port 80. The "payload" in the push packet should be done up ahead of time in a file that you will specify in the command string. You will as well have to make sure that the packet length is long enough to handle your payload. Hence another switch. I will go over and explain each switch one by one for this type of packet.

-P Tells hping to send a push packet

24.114.xxx.xxx This is the destination ip

-d Allows you +/- the size of the packet itself in this
case we have set it to 80 bytes
-p Specifies the destination port in this case port 80

-E Tells hping where to look for a file which it is to
insert as a payload ie: /home/don/test.sig Quite usefull
obviously for pre-compiled exploits ie: buffer overuns

I will now show you how to do what is called Idle Host Scanning. What this means exactly is that we are using one machines ip addy to scan the target computer for open services. To simplify I will use a random ip addy to scan another addy. This I will do by using HPing of course. The one other caveat is that someone's machine needs to be idle. By
that I mean not being used by him. This is needed because while I am spoofing his address and sending syn packets to my target I will be sending syn packets as well to his machine to monitor his IP Id numbers. It is through the monitoring of said numbers that we will know if the target machine has open services or not.
When a machine is idle and you send syn packets to it the IP Id numbers will normally go up in a predictable sequence. If the sequence varies it is because the host is now active. By this I mean that the target machine will send to his computer a syn/ack. His machine will respond with an ack packet. This communication between the two will cause the IP Id numbers to change from it's predictable sequence. Thus indicating to us that our spoofed machine has found an open port. All this is done
without exposing ourselves to the target machine.

To accomplish said attack we will need to have two sessions of
HPing going as well as tcpdump running.

1st session of HPing will contain the below command syntax

hping -S 131.137.xxx.xxx -a 24.114.xxx.xxx -p ++21

-S This again is a syn packet

131.137.xxx.xxx is our target machine

-a The switch used to spoof an ip addy

24.114.xxx.xxx Is the spoofed addy ie: his computer

-p The switch used to specify destination port

++21 Tells hping to syn packet port 21 on up sequentially

The 2nd session of HPing will contain the below noted command syntax

hping -1 24.114.xxx.xxx

By sending icmp packets to his machine I will get back the info
I need to execute this. I will get back ttl's and more importantly
of course the IP Id numbers. I will keep pinging his box all the
while I am sending spoofed syn packets to the target machine in the
hope they respond. This will result in his machine changing it's
IP Id numbers from it predictable sequence. Thus indicating that
it has found an open port.

Be aware though that this will only work with a middle man with
whom you can monitor it's IP Id numbers. If you have a machine which
is running no services, and is firewalled this will not work. Seen
as any packets icmp/syn or otherwise will simply be dropped. Your best bet is to social engineer someone at work who has a broadband acct.

Get them to email you and get their ip addy from that and then set up your attack when they are sleeping. Or anytime if they do not have a f/w or the requisite knowledge to interpret it's results.
Either way here is a url that does an excellent job of explaining
the IP ID attack. There are many more out there just google for them.http://www.bursztein.net/secu/temoinus.html

I have included on the next page some examples of HPing strings and the feedback as well as the tcpdump logs. Feel free to experiment with the below noted. Not just that mess around with fragmented packets, setting your X and Y flags and the like. You will only learn by playing around.
Ideally get a friend that you can bounce this stuff to, and later go over you results with him/her. That is it for now folks. I hope I was able to edumacate ya some!

These examples are of IP addy's that were bouncing off of my f/w.
So I decided to return the favour and take a looksie for fun. As you can see port 25 SMTP ack'ed back. In case your wondering what all that gobbledeegook is at the end of the syn/ack packet let me explain.

S denotes a syn packet

973256460:973256460 is the sequence number of the packet

ack 1440279771 is the ack sequence number

win 16616 is the amount of buffered space the machine has to receive info

<mss 1460> means the maximum segment size is 1460 this relates to the mtu